PT-2022-18837 · Jenkins · Jenkins Rocketchat Notifier Plugin+1
Marc Heyries
·
Published
2022-03-29
·
Updated
2023-11-17
·
CVE-2022-28139
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins RocketChat Notifier Plugin versions 1.4.10 and earlier
Description
A missing permission check in the Jenkins RocketChat Notifier Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. This issue also results in a cross-site request forgery (CSRF) vulnerability due to the lack of requirement for POST requests in the form validation method.
Recommendations
For Jenkins RocketChat Notifier Plugin versions 1.4.10 and earlier, update to version 1.5.0 or later, which requires POST requests and Overall/Administer permission for the affected form validation method, thus mitigating the issue.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Rocketchat Notifier Plugin